diff options
| author | Sandrine Bailleux <sandrine.bailleux@arm.com> | 2022-05-16 13:57:38 +0200 |
|---|---|---|
| committer | Sandrine Bailleux <sandrine.bailleux@arm.com> | 2022-05-31 08:41:31 +0200 |
| commit | 0677796cb65374499b9e542c1d23ce57aefa9140 (patch) | |
| tree | 489d909dd4346b527140e64827f285b1d2e59bbe /docs/threat_model | |
| parent | 7e32cdb21ec8f57dfac1639daba6dc0880e03772 (diff) | |
| download | arm-trusted-firmware-0677796cb65374499b9e542c1d23ce57aefa9140.tar.gz | |
docs(threat-model): broaden the scope of threat #05
- Cite crash reports as an example of sensitive
information. Previously, it might have sounded like this was the
focus of the threat.
- Warn about logging high-precision timing information, as well as
conditionally logging (potentially nonsensitive) information
depending on sensitive information.
Change-Id: I33232dcb1e4b5c81efd4cd621b24ab5ac7b58685
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Diffstat (limited to 'docs/threat_model')
| -rw-r--r-- | docs/threat_model/threat_model.rst | 35 |
1 files changed, 24 insertions, 11 deletions
diff --git a/docs/threat_model/threat_model.rst b/docs/threat_model/threat_model.rst index 0f6e2af01..38e5c87dd 100644 --- a/docs/threat_model/threat_model.rst +++ b/docs/threat_model/threat_model.rst @@ -463,18 +463,25 @@ These are highlighted in the ``Mitigations implemented?`` box. +------------------------+---------------------------------------------------+ | ID | 05 | +========================+===================================================+ -| Threat | | **Information leak via UART logs such as | -| | crashes** | +| Threat | | **Information leak via UART logs** | | | | | | | During the development stages of software it is | -| | common to include crash reports with detailed | -| | information of the CPU state including current | -| | values of the registers, privilege level and | -| | stack dumps. This information is useful when | -| | debugging problems before releasing the | -| | production version, but it could be used by an | -| | attacker to develop a working exploit if left | -| | in the production version. | +| | common to print all sorts of information on the | +| | console, including sensitive or confidential | +| | information such as crash reports with detailed | +| | information of the CPU state, current registers | +| | values, privilege level or stack dumps. | +| | | +| | | This information is useful when debugging | +| | problems before releasing the production | +| | version but it could be used by an attacker | +| | to develop a working exploit if left enabled in | +| | the production version. | +| | | +| | | This happens when directly logging sensitive | +| | information and more subtly when logging | +| | side-channel information that can be used by an | +| | attacker to learn about sensitive information. | +------------------------+---------------------------------------------------+ | Diagram Elements | DF2 | +------------------------+---------------------------------------------------+ @@ -495,7 +502,13 @@ These are highlighted in the ``Mitigations implemented?`` box. +------------------------+------------------+----------------+---------------+ | Total Risk Rating | N/A | Medium (8) | Medium (8) | +------------------------+------------------+----------------+---------------+ -| Mitigations | Remove crash reports in production releases. | +| Mitigations | | Remove sensitive information logging in | +| | production releases. | +| | | +| | | Do not conditionally log information depending | +| | on potentially sensitive data. | +| | | +| | | Do not log high precision timing information. | +------------------------+---------------------------------------------------+ | Mitigations | | Yes / Platform Specific. | | implemented? | Requires the right build options to be used. | |